Virtual postage meter with secure digital signature device

ABSTRACT

A system and method of evidencing postage payment includes a data center with a database storing a plurality of meter records. Each meter record includes meter information corresponding to a metering account. When a request for postage is received, a secure co-processor device in the data center obtains the appropriate meter record and verifies the authenticity of the meter record by verifying a signature in the meter record and comparing freshness data in the meter record to freshness data in the secure device. If verified, the secure device then accounts for an amount of postage to be evidenced, generates evidence of postage payment and updates the meter information, including the freshness data, in the meter record. The secure device then signs the updated meter information, stores the signature in the meter record, and returns the updated meter record to the database.

RELATED APPLICATIONS

This is a continuation-in-part application of U.S. Provisional PatentApplication Ser. No. 60/049,518, filed Jun. 13, 1997, now abandoned, andassigned to the assignee of the present invention.

The present application is related to the following U.S. patentapplication Ser. Nos. 09/242,210; 09/242,208; 09/242,209; 09/242,206 and09/242,205, all being assigned to the assignee of the present invention,all of which are incorporated herein by reference in their entirety.

TECHNICAL FIELD

The present invention relates generally to a postage metering system andmethod for evidencing postage payment in an open system and, moreparticularly, to a postage metering system and method for evidencingpostage payment in a virtual meter configuration.

BACKGROUND ART

Postage metering systems have been developed which employ encryptedinformation that is printed on a mailpiece as part of an indiciumevidencing postage payment. The encrypted information includes a postagevalue for the mailpiece combined with other postal data that relate tothe mailpiece and the postage meter printing the indicium. The encryptedinformation, typically referred to as a digital token or a digitalsignature, authenticates and protects the integrity of information,including the postage value, imprinted on the mailpiece for laterverification of postage payment. Since the digital token incorporatesencrypted information relating to the evidencing of postage payment,altering the printed information in an indicium is detectable bystandard verification procedures. Examples of systems that generate andprint such indicium are described in U.S. Pat. Nos. 4,725,718,4,757,537, 4,775,246 and 4,873,645, each assigned to the assignee of thepresent invention.

Presently, there are two postage metering device types: a closed systemand an open system. In a closed system, the system functionality issolely dedicated to metering activity. Examples of closed systemmetering devices, also referred to as postage evidencing devices,include conventional digital and analog (mechanical and electronic)postage meters wherein a dedicated printer is securely coupled to ametering or accounting function. In a closed system, typically theprinter is securely coupled and dedicated to the meter, and printingevidence of postage cannot take place without accounting for theevidence of postage. In an open system, the printer is not dedicated tothe metering activity, freeing system functionality for multiple anddiverse uses in addition to the metering activity. Examples of opensystem metering devices include personal computer (PC) based deviceswith single/multi-tasking operating systems, multi-user applications anddigital printers. An open system metering device is a postage evidencingdevice with a non-dedicated printer that is not securely coupled to asecure accounting module. An open system indicium printed by thenon-dedicated printer is made secure by including addressee informationin the encrypted evidence of postage printed on the mailpiece forsubsequent verification. See U.S. Pat. Nos. 4,725,718 and 4,831,555,each assigned to the assignee of the present invention.

The United States Postal Service (“USPS”) has proposed anInformation-Based Indicia Program (“IBIP”), which is a distributedtrusted system to retrofit and augment existing postage meters using newevidence of postage payment known as information-based indicia. Theprogram relies on digital signature techniques to produce for eachenvelope an indicium whose origin can be authenticated and contentcannot be modified. IBIP is expected to support new methods of applyingpostage in addition to the current approach, which typically relies on apostage meter to print indicia on mailpieces. IBIP requires printing alarge, high density, two-dimensional (“2-D”) bar code on a mailpiece.The 2-D bar code encodes information and is signed with a digitalsignature.

The USPS has published draft specifications for IBIP. The INFORMATIONBASED INDICIA PROGRAM (IBIP) INDICIUM SPECIFICATION, dated Jun. 13,1996, and revised Jul. 23, 1997, (“IBIP Indicium Specification”) definesthe proposed requirements for a new indicium that will be applied tomail being created using IBIP. The INFORMATION BASED INDICIA PROGRAMPOSTAL SECURITY DEVICE SPECIFICATION, dated Jun. 13, 1996, and revisedJul. 23, 1997, (“IBIP PSD Specification”) defines the proposedrequirements for a Postal Security Device (“PSD”), which is a secureprocessor-based accounting device that dispenses and accounts for postalvalue stored therein to support the creation of a new “informationbased” postage postmark or indicium that will be applied to mail beingprocessed using IBIP. The INFORMATION BASED INDICIA PROGRAM HOST SYSTEMSPECIFICATION, dated Oct. 9, 1996, defines the proposed requirements fora host system element of IBIP (“IBIP Host Specification”). IBIP includesinterfacing user, postal and vendor infrastructures which are the systemelements of the program. The INFORMATION BASED INDICIA PROGRAM KEYMANAGEMENT PLAN SPECIFICATION, dated Apr. 25, 1997, defines thegeneration, distribution, use and replacement of the cryptographic keysused by the USPS product/service provider and PSDs (“IBIP KMSSpecification”). The specifications are collectively referred to hereinas the “IBIP Specifications”.

The IBIP Specifications define a stand-alone open metering system,referred to herein as a PC Meter comprising a PSD coupled to a personalcomputer (“PC”) which operates as a host system with a printer coupledthereto (“Host PC”). The Host PC runs the metering application softwareand associated libraries (collectively referred to herein as “HostApplications”) and communicates with one or more attached PSDs. The PCMeter can only access PSDs coupled to the Host PC. There is no remotePSD access for the PC Meter.

The PC Meter processes transactions for dispensing postage, registrationand refill on the Host PC. Processing is performed locally between theHost PC and the PSD coupled thereto. Connections to a Data Center, forexample for registration and refill transactions, are made locally fromthe Host PC through a local or network modem/internet connection.Accounting for debits and credits to the PSD is also performed locally,logging the transactions on the Host PC. The Host PC may accommodatemore than one PSD, for example supporting one PSD per serial port.Several application programs running on the Host PC, such as a wordprocessor or an envelope designer, may access the Host Applications.

The IBIP Specifications do not address an IBIP open metering system on anetwork environment. However, the specifications do not prohibit such anetwork-based system. Generally, in a network environment a networkServer controls remote printing requested by a Client PC on the network.Of course, the Client PC controls any local printing.

One version of a network metering system, referred to herein as a“virtual meter”, has many Host PCs without any PSDs coupled thereto. TheHost PCs run Host Applications, but all PSD functions are performed onServer(s) located at a Data Center. The PSD functions at the Data Centermay be performed in a secure device attached to a computer at the DataCenter, or may be performed in the Data Center computer itself. The HostPCs must connect with the Data Center to process transactions such aspostage dispensing, meter registration, or meter refills. Transactionsare requested by the Host PC and sent to the Data Center for remoteprocessing. The transactions are processed centrally at the Data Centerand the results are returned to the Host PC. Accounting for funds andtransaction processing are centralized at the Data Center. See, forexample, U.S. Pat. Nos. 5,454,038 and 4,873,645, which are assigned tothe assignee of the present invention.

The virtual meter does not conform to all the current requirements ofthe IBIP Specifications. In particular, the IBIP Specifications do notpermit PSD functions to be performed at the Data Center. However, it isunderstood that a virtual meter configuration with each mailer's PSDlocated at the Data Center may provide an equivalent level of securityas required by the IBIP Specifications.

In conventional closed system mechanical and electronic postage meters asecure link is required between printing and accounting functions. Forpostage meters configured with printing and accounting functionsperformed in a single, secure box, the integrity of the secure box ismonitored by periodic inspections of the meters. More recently, digitalprinting postage meters typically include a digital printer coupled to ametering (accounting) device, which is referred to herein as a postalsecurity device (PSD). Digital printing postage meters have removed theneed for physical inspection by cryptographically securing the linkbetween the accounting and printing mechanisms. In essence, new digitalprinting postage meters create a secure point to point communicationlink between the PSD and print head. See, for example, U.S. Pat. No.4,802,218, issued to Christopher B. Wright et al. and now assigned tothe assignee of the present invention. An example of a digital printingpostage meter with secure print head communication is the Personal PostOffice™ manufactured by Pitney Bowes Inc. of Stamford, Connecticut.

In U.S. Pat. Nos. 4,873,645 and 5,454,038, a virtual metering system andmethod are disclosed wherein the postal accounting and token generationoccur at a data center remote from the postage evidencing printer.Although the Data Center may be a secure facility, there remain certaininherent security issues since the accounting and token generationfunctions do not occur in a secure device local to the postage printer.The virtual postage metering system includes a computer coupled to anunsecured printer and to a remote data metering system. The postalaccounting and the token generation occur at the Data Center.

The Data Center is a centralized facility under the control of a metervendor, such as Pitney Bowes, or the Postal Service. As such, it isregarded as secure compared to the environment that customers handlemeters directly. However, data stored at the Data Center is accessibleto Data Center personnel and, therefore, at a minimum, subject to atleast inadvertent modification by such personnel. Any unauthorizedchanges to the user and meter data stored at the Data Center compromisesthe integrity of the virtual metering system.

DISCLOSURE OF THE INVENTION

It has been determined that a virtual postage metering system providesbenefits that are not available under conventional postage paymentsystems. For the Posts, a virtual postage metering system providescentral management of all postage without the need to manage physicalmeters or PSDs. A further benefit is the opportunity to directlyassociate a mailer to each mailpiece as opposed to each reset. Formailers, no metering hardware, i.e. postage meter or PSD, is needed. Nordo mailers need to maintain current lists of valid addresses, such aswith purchased CD-ROMs. Mailers can acquire postage on an as-neededbasis. Finally, meter vendors do not have to keep track of physicalmeters. A virtual postage metering system eliminates stolen or relocatedmeter problems and simplifies meter management in general.

The present invention provides digital data security for a Data Centerof a virtual postage metering system that prevents inadvertent andintentional modifications to meter and user data stored at the DataCenter. In accordance with the present invention security boxes are usedto protect against unauthorized alteration of meter and user recordsstored at the data center. The present invention also provides securecontrol of digital token generation process and the associated secureaccounting for each postage evidencing transaction occurring at the datacenter.

Security issues for the virtual postage metering system include userauthentication, financial and postage transactions, and meter records.For the user authentication and meter records, the database holdencryption keys in cipher text and not in plain text. For eachtransaction, all data, including a time stamp or sequence number, usedto complete the transaction are digitally signed and the signature isstored as part of the updated transaction record. It has been found thatmaintaining transaction records in this manner prevents inadvertentmodification of the records.

Although the digital signature provides reasonable security, it is notbulletproof. It has been found that a historically signed record couldbe used in place of a current record requiring a more robustverification system to detect such “tampering”. In accordance with thepresent invention, another level of security is added. It has been foundthat once the signature is verified, the transaction data can be checkedfor freshness to eliminate any possibility of tampering, inadvertent orintentional.

In accordance with the present invention, a system and method ofevidencing postage payment provides a secure box is used to sign thetransaction data and to authenticate meter and user records. The systemand method includes a data center with a database having a plurality ofmeter records stored therein. Each meter record includes meterinformation corresponding to a metering account assigned to each of aplurality of remote user devices that are authorized to request evidenceof postage payment. When a request for postage is received at the datacenter, a secure co-processor device in the data center obtains theappropriate meter record and verifies the authenticity of the meterrecord by verifying a signature in the meter record and comparingfreshness data in the meter record to freshness data in the securedevice. If verified, the secure device then accounts for an amount ofpostage to be evidenced, generating evidence of postage payment andupdates the meter information, including the freshness data, in themeter record. The secure device then signs the updated meter informationand stores the signature in the meter record. The secure device thenreturns the updated meter record to the database.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects and advantages of the present invention willbe apparent upon consideration of the following detailed description,taken in conjunction with accompanying drawings, in which like referencecharacters refer to like parts throughout, and in which:

FIG. 1 is a block diagram of a virtual postage metering system fordispensing postage embodying the principles of the present invention;

FIG. 2 is a bock diagram of the Data Center database server and securebox for the virtual postage metering system of FIG. 1;

FIG. 3 is a flow chart of the process for evidencing postage by thevirtual postage metering system of FIG. 1; and

FIG. 4 is a flow chart of the process performed within the secure meterbox of the virtual postage metering system of FIG. 1.

BEST MODE FOR CARRYING OUT THE INVENTION

In describing the present invention, reference is made to the drawings,wherein there is seen in FIG. 1, a virtual postage metering system,generally designated 10. The virtual postage metering system 10 includesa plurality (only one is shown) of personal computer (PC) systems,generally designated 20, each having access to a printer 22 for printingevidence of postage on an envelope or label. PC 20 is connected with atransaction processing Data Center 30 that performs postal accountingand evidencing of postage. The virtual postage metering system 10 allowseach mailer to use a conventional PC to remotely obtain evidence ofpostage payment on an as needed basis. Unlike conventional postagemetering systems, virtual postage metering system 10 does not includeany meter hardware located at the mailer's site. Nor are any postalfunds stored at the mailer's site. All metering and accounting of fundsoccur at Data Center 30 using functional software and database recordsrepresenting each mailer's “postage meter”, referred to herein as a“meter account”.

The accounting method for virtual postage metering system 10 may be aconventional prepayment or post-payment system. The preferred method aprepayment method wherein each mailer is required to put a minimumamount of money into the mailer's virtual meter account. As accountfunds drop below a specific level a refill is charged against themailer's account. An alternate accounting method that is suitable for avirtual postage metering system is a real-time payment method in whichthe amount of a transaction is charged to a mailer's credit card accountwhen the transaction occurs. This method is referred to herein as a“trickle charge” postage payment, because the mailer does not pay forpostage for a mailpiece until the mailer is ready to print themailpiece.

In the virtual postage metering system, a “meter” vendor, such as PitneyBowes Inc., provides the mailer with client software that runs on PC 20,e.g., the client software may be downloaded from the vendor's Internetserver. Alternatively, the client software may be the Internet browserbased home pages that provide user interactions with the Data Center 30.The meter vendor also manages Data Center 30. The client softwareinitiates communications with Data Center 30 which performs meteringtransactions to evidence postage for single mailpieces or batches ofmailpieces. In the preferred embodiment, the client software establishesa connection to the Data Center, and requests postage by providingpostal information relating to the requested transactions, such aspostage amount, addressee information and (optionally) the origin ofdeposit for each mailpiece. Data Center 30 receives the postalinformation, determines the origin zip for the mailpiece(s), performsaccounting functions and generates an encrypted evidence of postagepayment, such as a token or digital signature, and sends indiciuminformation including the token, to PC 20. PC 20 receives the indiciuminformation, creates an indicium bitmap, which can be displayed on a PCmonitor (not shown) and printed on the mailpiece by printer 22. PC 20then disconnects from Data Center 30 or requests another transaction.The connection between PC 20 and Data Center 30 may be through a NetworkService Provider, such as on the Internet, or by direct dial using thePC's modem.

Virtual postage metering system 10 eliminates the need to maintain andaccount for traditional metering devices at each mailer's site andprovides flexibility for handling requests from multiple origins ofdeposit by each mailer. Virtual postage metering system 10 also providesvalue added services that are not available with conventional meterdevices, such as, real-time address hygiene, direct marketing servicesand trickle charge postage payment. Virtual postage metering system 10provides user authentication by Data Center 30 to identify mailers withvalid accounts. When a mailer has been authenticated for each request,for example, by a username, password or other conventional methods, DataCenter 30 services the request, and returns indicium information to thePC 20 where the indicium is created and printed on the mailpiece.

Referring again to FIG. 1, the mailer initiates a postage evidencingtransaction by running client software in PC 20, which contacts DataCenter 30. At Data Center 30, a Communication Server 32 supportsconnectivity from various communication technologies and protocols. TheCommunication Server merges all incoming traffic and routes it to aFunction Server 34, which includes application software that supportsmailer sign-on, postage dispensing and postal reporting. All mailer andmeter information is accessed from a Database Server 36 where theinformation is securely stored using secure cryptographic processes andprotocols as described below. Data Center 30 maintains cryptographickeys for each meter account in Database Server 36. The cryptographickeys are used for postage evidencing and verification as well as forsecurity of the records stored in Database Server 36. A Key ManagementSystem 38 administers all cryptographic keys used in virtual postagemetering system 10. The cryptographic keys may be distributed toverifiers in remote locations. U.S. Pat. No. 5,812,666, assigned to theassignee of the present invention, describes such a key managementsystem.

A mailer may establish a meter account through an on-line sign-upprocess with Data Center 30. During sign-up, the mailer enters, at PC20, account information, such as user name, password and method ofpayment. Any registration fees can be charged at this time. Data Center30, preferably administered by a meter vendor, such as Pitney BowesInc., arranges all meter licenses and agreements between its mailers andthe Post.

In the present invention, the PSD does not exist, i.e., there is nometering device coupled to the PC from which postage payment isrequested. Virtual postage metering system 10 replaces the accountingand metering functions of the PSD with metering software at PC 20 andmailer account information performed and updated at Data Center 30. Thevirtual postage metering system 10 provides each mailer with a meteringsystem that has the capability of originating transactions from multipleorigins of deposit. See, for example, previously noted U.S. patentapplication Ser. No. 09/242,206.

Various methods can be used to determine the origin of deposit for arequested transaction. For example, a method for determining origin zipcode using a caller ID from a telephone call is disclosed in U.S. Pat.No. 5,943,658, assigned to the assignee of the present invention, whichis hereby incorporated in its entirety by reference.

In accordance with the present invention, one or more cryptographicmodules, referred to herein as secure “boxes”, are located within DataCenter 30 and are used to perform cryptographic processes. Each securebox is a secure, tamper-evident and tamper-responding device, includinga processor and memory, that stores encryption keys and performscryptographic operations using the keys within the secure boundary ofthe device. Data Center 30 includes several types of secure boxes, whichare described below. In the preferred embodiment, Data Center 30includes multiple boxes of each type for redundancy and performance.

Key Management System 38 includes a manufacturing box (not shown) thatprovides top-level keys used to generate random numbers for seeding eachof the other secure boxes. By sharing a common cryptographic key, thesecure boxes communicate securely within Data Center 30. Key ManagementSystem 38 also includes a “steel” box (not shown) that shares a commonkey with meter box 44 (described below) to encrypt/decrypt master tokenkeys for postage evidencing transactions for each meter account. Thesteel box merges a vendor key and a postal key into one record in ciphertext. For each meter account, Data Center 30 creates a logical meter,i.e. a meter record, in Database Server 36 by generating a token keyusing the vendor and postal keys, initializing meter registers(ascending and descending), meter freshness data (described below) andother postal information as part of the meter record, and then storingthe meter record in Database Server 36.

Data Center 30 also includes a meter box 44 that shares a secret keywith the steel box for decrypting the token key encrypted in the meterrecord. Meter box 44 also holds the key used for digital signature oftransaction records. The only other information stored in meter box 44is freshness data for each meter record processed by meter box 44. Foreach postage transaction, meter box 44 generates at least one digitaltoken or signs the postage transaction, and updates the meter recordcorresponding to the transaction. Each meter record in Database Server36 includes postal funds as well as the token keys in cipher text. Meterbox 44 uses the token keys to generate tokens, updates the postal fundsin the meter record, and signs the updated meter record. In this manner,meter box 44 performs and controls the secure accounting for eachtransaction. Meter box 44 can also be used to verify the token or thetransaction signature for verification of the postage evidencing for thetransaction.

Data Center 30 also includes an authentication box 40 that shares adifferent secret key with the steel box to decrypt an userauthentication key stored in cipher text in Database Server 36.Authentication box 40 also executes the authentication algorithms usingthe decrypted authentication key to authenticate a mailer. This functionmay be added to the steel box of key management system 38 to eliminatethe need for a separate box at Data Center 30.

Finally, Data Center 30 includes an transaction box 42 that sharesanother secret key with the steel box to sign user transaction recordsother than the meter records signed by meter box 44, such as logins andlogin history records. Transaction box 42 later verifies the transactionrecord signature when the next transaction is requested.

Referring now to FIG. 2, a configuration of Database Server 36,including a meter database 60, a mailer database 62 and a database ofmeter records 64, is shown. Meter database 60 comprises meterinformation associated for each meter account, such as, meter serialnumber, record update counter, ascending register, descending registerand other postal values. Mailer database 62 comprises mailer informationand information that associates a mailer with a meter account.

In operation, Communication Server 32 receives a request for a metertransaction from mailer PC 20. The application software in the FunctionServer 34 controls the processing of the transaction request. FunctionServer 34 accesses mailer database 62 and meter database 60 to obtainrecords, including the appropriate meter record 64, corresponding to themeter account of the mailer initiating the request. Function Server 34communicates mailer records from mailer database 62 to authenticationbox 40, which then authenticates the mailer requesting the transaction.Once the mailer has been authenticated, Function Server 34 communicatesthe appropriate meter record 64 to meter box 44, which verifies asignature and freshness data for the record. Meter box 44 decrypts theencrypted key(s) that are stored within meter record 64, performsaccounting functions on the ascending and descending registers in meterrecord 64, and uses the key(s) to generate a token for the requestedtransaction. Meter box 44 then generates data for an indicium, andresigns meter record 64. The updated and signed record is then sent backto Database Server 36 where it is stored as part of meter database 60.

At Data Center 30, the authentication keys are not available in plaintext, but must be distributed to the mailer. Conventional methods ofdistributing and updating the authentication key for each mailer can beused. See, for example, previously noted U.S. Pat. No. 5,812,666, whichdescribes a key management system for distributing and updatingcryptographic keys to the secure boxes and the mailer's PC.

One of the important tasks for key management system 38 is to obtain thepostal key and associate it with a vendor key. In key management system38, the steel box creates a meter serial number, manufacturing number,vendor and postal keys in one meter record 64 for each meter account.

For the encryption/decryption algorithms, a set of triple DES keys areused for encrypting the encryption keys for generating a tokens orsignatures for indicia. Another set of triple DES keys are used forsigning meter records. Meter box 44 securely stores both sets of tripleDES keys. In order avoid using only one key to encrypt the entire set ofmeter keys for generating a tokens or signatures for indicia, a derivedkey is used. The first set of triple DES keys derives triple DES keys byencrypting the meter (account) serial number in each meter record. Thederived triple DES keys then encrypt the encryption keys for the indiciawhich are to be stored in the Database Server 36. The second set oftriple DES keys for signing uses a similar scheme to derive thesignature keys in a similar manner, i.e. using the meter serial numberas data to derive keys. It will be understood that one set of triple DESkeys can be used for both purposes. However, it is desirable that eachset of keys be used only for one purpose.

In the preferred embodiment of the present invention, one common key isused to sign all transactions and records that require a digitalsignature, such as, meter records, postage transactions, funds transferrecords, master account records, etc. Multiple boxes of each box areused for redundancy and to share the workload as the number oftransactions grow. The signing box, such as meter box 44 orauthentication box 40, will also verify the signature of a record.

With regard to the signature algorithm for meter record 64, a messageauthentication code (MAC) is employed to provide message integrity forthe sensitive virtual meter records. This MAC involves multipleapplications of the Data Encryption Standard (DES). The signature keyswill be updated using the current month and year. During manufacturing,two initial master keys will be entered into the non-volatile memory(NVM) of meter box 44. NVM is used both for permanent storage and forthe prevention of external access to the key information. The keys forindicia and the keys for signature are derived in a conventional manner,such as described above. The virtual meter record signature verificationalgorithm simply recalculates the signature of the meter record 64 usingthe signature algorithm and data within meter record 64 and comparescalculated signature to the signature in meter record 64.

Referring now to FIG. 3, the process for securely performing a postageevidencing transaction in a virtual postage metering system isdescribed. At step 100, Communication Server 32 receives a request forpostage evidencing from mailer PC 20. At step 105, Function Server 34requests access to the mailers account information stored in DatabaseServer 36. At step 110, Database Server 36 sends mailer information,meter information, including a meter record associated with the mailerinitiating the request. At step 115, Function Server 34 sends the mailerinformation to Authentication Box 40. When the mailer is authenticatedat step 120, then, at step 125, Function Server 34 sends the meterinformation, including the meter record to meter box 44. At step 130,meter box 44 authenticates the meter record, decrypts the encryptedtoken key which is part of the record, verifies freshness of the record,performs accounting, generates a token, updates the freshness data andsigns the meter record, which is returned to Function Server 34. At step135, Function Server 34 sends the updated and signed meter record toDatabase Server 36 and sends to the Communication Server 32 the tokenand associated postal information needed to create an indicium. At step140, Database Server 36 stores the updated and signed meter record. Atstep 145, Communication Server 32 sends the token and postal informationto mailer PC 20.

Referring now to FIG. 4, the process performed within the secure meterbox of the virtual postage metering system is described. At step 200,meter box 44 receives a signed meter record. At step 205, the signatureof the meter record is verified. If not verified at step 210, then, atstep 215, the meter box ends the transaction and alerts the FunctionServer 34 for possible tampering. If the signature has been verified,then, at step 220, the meter box compares freshness data that is storedin meter box for each meter account to freshness data stored as part ofthe meter record. The freshness data chosen for this comparison must bedata that is unique for each transaction. In the preferred embodiment,the record update counter is used, however a random number, time stampor other nonce may be used. The comparison at step 220 preventsinadvertent or intentional substitution of an old meter record for thecurrent meter record during the virtual postage metering transaction.

At step 225, if the compared freshness data are not identical, then, atstep 230, the meter box ends the transaction and alerts the FunctionServer 34 for possible tampering. If the freshness data stored in themeter record is identical to the freshness data associated with themeter record which is stored in the meter box, then, at step 235, themeter box decrypts the token key that was received in encrypted form aspart of the meter record. At step 240, the meter box performs accountingfunctions for the transaction, such as incrementing the ascendingregister, decrementing the descending register and incrementing therecord update counter. At step 245, the freshness data in the meterrecord is updated. At step 250, the freshness data stored in meter box44 is updated. At step 255, the meter box generates the token using thedecrypted token key. At step 260, the meter box updates the meter recordby storing the new register values and record update counter in themeter record, and then signs the updated record using a key stored inthe meter box. At step 265, the meter box sends the updated and signedmeter record to Database Server 36 for storage until the nexttransaction for the meter account assigned to the meter record.

It will be understood that, although the embodiments of the presentinvention are described as postage metering systems, the presentinvention is applicable to any value metering system that includestransaction evidencing, such as monetary transactions, item transactionsand information transactions.

While the present invention has been disclosed and described withreference to embodiments thereof, it will be apparent, as noted above,that variations and modifications, such as using public keys instead ofprivate keys, may be made therein. It is, thus, intended in thefollowing claims to cover each variation and modification that fallswithin the true spirit and scope of the present invention.

What is claimed is:
 1. A secure postage dispensing system comprising: adata center for dispensing postage in response to requests for postagefrom a plurality of remote user devices, the data center comprising:database means for storing data records, said data records includinguser information and meter information for individual metering accounts,each of said meter accounts being assigned to each of said plurality ofremote user devices; means for receiving requests for postage evidencingfrom the plurality of remote user devices; means for authenticating eachrequest for postage evidencing using said user information and saidmeter information corresponding to the metering account for the remoteuser device initiating the request for postage evidencing; and means fordispensing the requested postage evidence, said dispensing meansincluding at least one first secure device, including processor andmemory, wherein said first secure device obtains said meter informationfrom said database means, verifies the authenticity of said meterinformation, generates the requested postage evidence, updates saidmeter information, digitally signs the updated meter information andreturns the signed updated meter information to said database means. 2.The system of claim 1 wherein said means for receiving comprises acommunication server and said database means comprises a database servereach being located at the data center.
 3. The system of claim 1 whereinsaid database means includes a database of meter records, each of themeter records including the meter information corresponding to one ofthe metering accounts for the plurality of remote user devices and asignature of the meter information.
 4. The system of claim 3 whereinsaid meter information includes ascending and descending registers, anencrypted token key and freshness data.
 5. The system of claim 4 whereinthe freshness data comprises a record update counter corresponding tothe number of postage evidencing transactions processed by said securedevice.
 6. The system of claim 3 wherein said first secure deviceincludes means for storing first and second cryptographic keys, thefirst key being used for verifying the signature in each meter recordand for signing the updated meter information before returning eachmeter record to the database means, the second key being used fordecrypting the encrypted token key in the meter record, said securedevice using the token key for generating the requested evidence ofpostage.
 7. The system of claim 6 wherein a function server processeseach request received by said communication server and obtains theappropriate user information and meter information from said databaseserver and sends the user information and meter information to theauthenticating means and the dispensing means.
 8. The system of claim 6,wherein said means for authenticating comprises a second secure box,including processor, memory and means for storing a third cryptographickey, the third key being used for verifying a signature associated withsaid user information of the metering account being processed.
 9. Thesystem of claim 8 further comprising a key management system server forgenerating and maintaining cryptographic keys used by to theauthenticating means and the dispensing means.
 10. A method ofevidencing postage payment, the method comprising the steps of:providing a plurality of meter records, each meter record includingmeter information corresponding to a metering account assigned to eachof a plurality of remote user devices that are authorized to requestevidence of postage payment; storing the plurality of meter records indatabase at a data center; obtaining a first meter record when a requestfor evidence of postage payment is received by the data center;verifying the authenticity of the first meter record by verifying asignature in the first meter record; accounting for an amount of postageevidenced; generating a digital token as evidence of postage payment;updating the meter information in the first meter record; signing theupdated meter information to update the signature of the first meterrecord; and returning the first meter record to the database.
 11. Themethod of claim 10 wherein the steps of obtaining, verifying,accounting, generating, updating, signing and returning are performed ina secure device.
 12. The method of claim 11 wherein the step ofverifying the authenticity of the first meter record comprises the stepof: comparing freshness data in the first meter record with freshnessdata stored in the secure device.
 13. The method of claim 11 wherein thestep of updating the meter information comprises the step of: updatingthe freshness data stored in the secure device and in the first meterrecord.